Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to consume the Credential store with python

yannmiquel
Participant
‎09-19-2021 7:17 AM

For those interested in a secure repository for passwords and keys for applications running on SAP Business Technology Platform, the Credential store is the way to go. This blog describes very well how to set up the service, so I won’t repeat these steps here.


The aim of this post is to explain how to consume this service with Python 3. The blog mentioned above describes how to consume the service with Node.js. You can find in the official SAP API documention how to consume it with Java, Javascript, Swift, Curl, ABAP and SAPUI5. A GoLang sample is also available in this other documentation. Almost all languages but Python.


The context of this work is the management the HANA Cloud instance service (start and stop). For this task, one need to use the credentials of a Cloud foundry manager and we don’t want these written in plain text. Since updating a Cloud Foundry service with Python would be another topic, I will only expose here how to consume the Credential store.


The core python libraries are requests and python-jose, which have Apache 2-0 and MIT license respectively.


All of what follow could be written nicely in a function but I want to emphasise what do what.

Initialisation


After creating the service mycreds (free plan), we add in the namespace test the password Azerty for id_conn.

Getting the password from the python app


Let's start with the libraries:
import json

from cfenv import AppEnv

from jose import jwe

import requests

from requests.auth import HTTPBasicAuth

Since the app will be deployed in the same Space as the service, one can retrieve the environment variable (VCAP_SERVICES) easily with cfenv
env = AppEnv()

creds = env.get_service(name="mycreds") #name of the Cred.Store service

So creds here is a dictionary with the parameters of the service. Then, we call the API of this service to get the password associated with id_conn.  
headers = {'Accept': 'application/json',

           'Content-Type': 'application/jose',

           'DataServiceVersion': '2.0',

           'If-None-Match': '',

           'sapcp-credstore-namespace': 'test'} # name of the namespace



response = requests.get(creds.credentials.get('url')+"/password?name=id_conn",

                        headers=headers,

                        auth=HTTPBasicAuth(creds.credentials.get("username"),

                                           creds.credentials.get("password"))

                        )

The response is a JSON Web Encryption (JWE) with a four parts structure: Header, Encrypted Key, Ciphertext and the JWE Integrity Value.

The first part of the JWE will tell you something like
{

"alg": "RSA-OAEP-256",

"enc": "A256GCM",

"iat": 1631885785

}

The message encryption is implemented via symmetric encryption using Advanced Encryption Standard (AES), Galois Counter Mode (GCM) with 256 bit key size. The encryption of keys is supported using RSA Optimal Asymmetric Encryption Padding (OAEP).

The private key is given in the parameters but one needs to run some transformations before using it: first add header and footer and then convert in bytes:
private = creds.credentials.get("encryption",{}).get("client_private_key")

private_key = ("-----BEGIN PRIVATE KEY-----\n" +

               private +

               "\n-----END PRIVATE KEY-----")

private_key = private_key.encode()

Finally, one can decode the message and get the password
cred = jwe.decrypt(response.content, private_key)

cred = json.loads(cred.decode())

pwd= cred.get("value")

Another key can be useful : cred.get("modifiedAt") which indicates the last modification.

Test


If you want to "see" the password in a web application, you can encapsulate the code in this script
# -*- coding: utf-8 -*-

import os

from flask import Flask



### Add the previous lines here ####



@app.route("/")

def locale():

    return pwd



if __name__ == "__main__":

    app.run(host='0.0.0.0', port=port)

You should get :

 


 

Conclusion


As you can see, it's pretty easy to store and consume a password in a secured manner using this service. We have not cover the other functionalities here (like updating a password) but the main difficulties, from my point of view, are to know which python library to use for the encryption and how to format the API call. If some people are interested, I may write a follow up for the other functionalities.

That's all for today !
4 Comments
Labels in this area
Popular Blog Posts